Facebook made headlines last Friday with its announcement that it had been the victim of a sophisticated security attack. All major news publications picked up the story, citing widespread concern about the implications of the breach.

The breach itself, however, was largely a nonevent from a security standpoint.

Facebook identified the security breach before it infiltrated too deeply into company systems, remediated all compromised machines, informed law enforcement, and reported the Java exploit to its parent owner Oracle – acting quickly and appropriately. Most importantly, Facebook made it clear that the breach did not expose any of its users’ data.

In spite of Facebook’s quick response and the relatively minor impact of the breach, it was still a huge news event because it was Facebook. Some security analysts went as far as to classify the reaction from the press as “irresponsible” journalism. Especially considering that Facebook is only one of a growing list of prominent organizations that have announced security breaches in the past month (a list that includes organizations such as Bit9, The New York Times, The Wall Street Journal, and Twitter), it’s interesting that Facebook’s breach became the big story that it did. For example, Twitter’s security breach potentially exposed user data for approximately 250,000 accounts. LinkedIn faced a breach last summer that also compromised a large number of member passwords. Facebook’s breach compromised ZERO.

So why all the headlines about a relatively harmless event?

It’s actually all about the “could haves”: the potential impact a major security breach could have on Facebook, the implications it could have on the way consumers engage on the social network, the impact it could have on Facebook’s bottom line. Facebook’s reputation and business model rely heavily on one thing in particular – consumer trust – and that trust appears to be wavering.

Even before last week’s breach announcement, recent data trends point to users decreasing the amount of time they spend on the site and that people are even beginning to abandon Facebook in "droves." Other recent articles offer advice on how Facebook users can minimize the amount of information they share and reduce their exposure in the case of a breach (such as this article, which came out a week before Facebook’s breach announcement).

At the same time, Facebook continues to ask people to do the exact opposite: use the site more frequently, share more information about themselves, check-in at local coffee shops, use mobile payments, etc. – all of which is critical to Facebook’s efforts to monetize its product and bring value to the company. But the more Facebook seeks ways to embed itself further in consumer lives, the more personal information there is on the site that can put these same consumers at risk. With the stakes as high as they are today, even relatively minor breaches such as this one will garner lots of attention.

Facebook dodged a bullet this time, but it can’t remain complacent. One major security breach could fundamentally alter the way people interact on the social network, diminish their willingness to share even basic personal information, and may be reason enough for them to leave Facebook altogether.

One thing from this breach is very clear: Facebook’s reputation and business model are on the line now more than ever before. Consumer trust is one thing the social network can’t afford to lose.

Nick, I agree that in terms of actual impact, this one is minimum. But I think the fact that FB is under attack is in itself a very interesting event. We probably all know that these high profile services are under constant attack, but actually having FB come out and say there had been a successful breach is a huge event. Apple subsequently said they were under attack as well. I think these events will help draw attention to just how brittle some of the cyber defenses are and no one can afford to put their heads in the sand.

I completely agree, Chenxi. FB's breach is only a nonevent from the standpoint that the impact was minor and FB dealt with it fairly well this time around. But to your point, this event (along with the number of other recent high-profile breaches) shows FB can be breached and that in itself is very significant. As I mention in the post, it's about the "could haves" and the consequences for FB and its users if a major breach were to occur. Great point.

Is there something going on with my fb account? I'm asked frequently to log on with my e/address and password [which is never accepted] the only way in, is to re do my password. I've learned [not tech savvy] how to delete "cookies" and do this frequently . . . is the password requirement attached to "cookies" in some way ? This is annoying and time consumining !
OR, am I being skammed in some way ? Granny Linda